I hope you all are doing good and hunting websites. Today I’m going to tell you about a very interesting finding which was very simple and I never expected that it could really exist there.
I was hunting Edmodo nine months back and after various tests and techniques, I was unable to find any solid bug. Well before going to bed I saw “Download the Edmodo app”.
This is a feature that you enter your mobile number, and they’ll send application link to your phone number.
The only attack that came to my mind was to check if there is rate limit or not, well I checked and there was rate limit, I couldn’t even bypass it.
Then I thought what other attacks could be possible here and all of a sudden It clicked in my mind that If I could change the text message into any custom message. And in a couple of clicks, I was able to do it.
The attack was piece of cake!
Got a temporary sms number to receive!
Entered number in the field and clicked send the link!
Intercepted the request by “Burp Suite” (Naam tou suna hoga) and changed the message inside the inverted commas!
Messaged was changed to “Testing this website to act ethically!” and forwarded the request and turned the intercept off!
and the message was received!
Thank you for reading, I hope you guys like it. Show your love in the comments section below.
-Syed Muhammad Abdul Karim